mirror of https://github.com/torvalds/linux.git
9d7dfb95da
Add VMX exit handlers for SEAMCALL and TDCALL to inject a #UD if a non-TD guest attempts to execute SEAMCALL or TDCALL. Neither SEAMCALL nor TDCALL is gated by any software enablement other than VMXON, and so will generate a VM-Exit instead of e.g. a native #UD when executed from the guest kernel. Note! No unprivileged DoS of the L1 kernel is possible as TDCALL and SEAMCALL #GP at CPL > 0, and the CPL check is performed prior to the VMX non-root (VM-Exit) check, i.e. userspace can't crash the VM. And for a nested guest, KVM forwards unknown exits to L1, i.e. an L2 kernel can crash itself, but not L1. Note #2! The Intel® Trust Domain CPU Architectural Extensions spec's pseudocode shows the CPL > 0 check for SEAMCALL coming _after_ the VM-Exit, but that appears to be a documentation bug (likely because the CPL > 0 check was incorrectly bundled with other lower-priority #GP checks). Testing on SPR and EMR shows that the CPL > 0 check is performed before the VMX non-root check, i.e. SEAMCALL #GPs when executed in usermode. Note #3! The aforementioned Trust Domain spec uses confusing pseudocode that says that SEAMCALL will #UD if executed "inSEAM", but "inSEAM" specifically means in SEAM Root Mode, i.e. in the TDX-Module. The long- form description explicitly states that SEAMCALL generates an exit when executed in "SEAM VMX non-root operation". But that's a moot point as the TDX-Module injects #UD if the guest attempts to execute SEAMCALL, as documented in the "Unconditionally Blocked Instructions" section of the TDX-Module base specification. Cc: stable@vger.kernel.org Cc: Kai Huang <kai.huang@intel.com> Cc: Xiaoyao Li <xiaoyao.li@intel.com> Cc: Rick Edgecombe <rick.p.edgecombe@intel.com> Cc: Dan Williams <dan.j.williams@intel.com> Cc: Binbin Wu <binbin.wu@linux.intel.com> Reviewed-by: Kai Huang <kai.huang@intel.com> Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com> Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com> Link: https://lore.kernel.org/r/20251016182148.69085-2-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com> |
||
|---|---|---|
| .. | ||
| Kbuild | ||
| a.out.h | ||
| amd_hsmp.h | ||
| auxvec.h | ||
| bitsperlong.h | ||
| boot.h | ||
| bootparam.h | ||
| byteorder.h | ||
| debugreg.h | ||
| e820.h | ||
| elf.h | ||
| hw_breakpoint.h | ||
| hwcap2.h | ||
| ist.h | ||
| kvm.h | ||
| kvm_para.h | ||
| kvm_perf.h | ||
| ldt.h | ||
| mce.h | ||
| mman.h | ||
| msgbuf.h | ||
| msr.h | ||
| mtrr.h | ||
| perf_regs.h | ||
| posix_types.h | ||
| posix_types_32.h | ||
| posix_types_64.h | ||
| posix_types_x32.h | ||
| prctl.h | ||
| processor-flags.h | ||
| ptrace-abi.h | ||
| ptrace.h | ||
| sembuf.h | ||
| setup.h | ||
| setup_data.h | ||
| sgx.h | ||
| shmbuf.h | ||
| sigcontext.h | ||
| sigcontext32.h | ||
| siginfo.h | ||
| signal.h | ||
| stat.h | ||
| statfs.h | ||
| svm.h | ||
| swab.h | ||
| ucontext.h | ||
| unistd.h | ||
| vm86.h | ||
| vmx.h | ||
| vsyscall.h | ||